EIMS_Filter

A Filter is a mechanism used by EIMS to reject unwanted or malformed Email. There are a number of reasons to do this. Incorrectly formed mail can affect the operation of EIMS or even hang or crash the server. A large volume of unsolicited email can degrade the operation of your mail server.
Where are these filters?: EIMS supports a filter plugin architecture The filter plugins are kept in the Filters folder within the EIMS folder.
What is SPAM: SPAM is a generic term for unwanted email from someone you don't know. The email most often is of commercial intent - a "get-rich-quick scheme", discounted pharmaceuticals, or solicitations to visit a pornographic web site. Originators of SPAM typically buy lists of thousands of email addresses and send mass mailings. This is worse that "junk" mail via the postal system because the cost of this SPAM is largely shifted to the recipient.; Here is a more complete legal description from MAPS L.L.C:

An electronic message is "spam" IF: (1) the recipient's personal identity and context are irrelevant because the message is equally applicable to many other
potential recipients; AND (2) the recipient has not verifiably granted deliberate, explicit, and still-revocable permission for it to be sent; AND (3) the transmission
and reception of the message appears to the recipient to give a disproportionate benefit to the sender.

DISCUSSION:

(i) Trivial or mechanised personalization such as "Dear Mr. Jones, we see that you are the holder of the JONES.COM domain" does not make the personal identity
of the recipient relevant in any way.

(ii) Failing to click the "do not send me marketing literature by e-mail" button in a web sign-up form does not convey explicit permission. Only when the default
result is "no followup e-mail" AND the inbox impact is clearly stated before any action which changes this result, can permission of this kind be conveyed.

(iii) The appearance of disproportionate benefit to the sender, and the relevancy of the recipient's specific personal identity, are authoritatively determined by the
recipient, and is not subject to argument or reinterpretation by the sender.

(iv) Non-personal e-mail always places a disproportionate cost burden on the recipient, and is considered to disproportionately benefit the sender unless it was
verifiably solicited or by the recipient's willing exception.

(v) A message need not be offensive or commercial in order to fit the definition of "spam." Content is irrelevent except to the extent necessary to determine
personal applicability, consent, and benefit.
What is UCE?: (Unsolicited Commercial Email, or spam)
What is a DNS Blacklist (DNSBL)?: A type of filter based on the internet address of an incoming email connection. Basically, mail arrives with a "hello" from another email server. The DNSBL filter is built to lookup and compare the incoming IP address to an online listing of undesirable IP addresses. This listing resides as a "zone" or a special domain on a DNS server. If the incoming address is blacklisted, (i.e. if a match on the IP address is found) the connection is rejected. This process happens early in a SMTP (Simple Mail Transport Protocol) transaction.
What is an Open Relay?: In essence, an open relay server allows anyone from anywhere to send mail through your EIMS mail server, which accounts for a large majority of UCE. (Unsolicited Commercial Email, or spam). Your email server is being hijacked. This is a frequent tactic of commercial spammers who are trying to use an third party mail server to conceal the source of their messages or bypass an existing block against them.

Product Questions

Why does EIMS need mail filters?: EIMS is a very well written software package that takes great care to conform to internet standards for email handling (RFC's). Unfortunately, some mail sources and spammers break these rules and can affect the operation or saturate your mail server. To ensure reliable operation, the filters provided with EIMS should be evaluated and installed based on your own service conditions.

Doesn't EIMS already come with Filters?: Yes, EIMS comes provided with a number of specifically targeted filters. The latest versions are available here.

What types of Filters are there?: Generally, there are two types of filters that operate on a mail server. These types are based on how the filter functions. A Domain Name Server referencing filter compares the source IP number of an incoming email and takes action based on a match if it occurs. This checking occurs at the beginning of the email receipt process. A content based filter acts after the email is received but before it is routed to the users mailbox. This type of filter examines the various parts of the received email and takes action based on matches with a part of the incoming email.

I am using the Null and LF filter that comes with EIMS. It seems to be blocking legitimate email. Why is this?: EIMS carefully adheres to internet mail standards. Other vendor products aren't quite so careful and may initiate and relay mail that does not conform to standards. Spammers very frequently sent mal-formed email that can even disrupt the operation of a mail server. The NUL and LF filter blocks incoming mail that has stray and non-conforming NUL, LF and CR characters. The reference for proper format is http://www.faqs.org/rfcs/rfc2822.html. Section 2.3 discusses CRLF.

What additional filters are available for EIMS?: The following is a partial listing of third party EIMS filter plugins:; Filtre & Go - the first generic EIMS filter.; Simple Text Filter (STF) - a plug-in filter for EIMS 2.x and later. It allows you to specify text to search for within an email message and to reject messages that contain a match.; TOLD - TOLD is a helper application for EIMS that can replace all the current spam and virus filters. TOLD filters email based on any number of automatically net-updatable spam and virus descriptions and flags suspicious email in a way that makes it easy for users to filter it in their email applications.

I am evaluating Simple Text Filter (STF) for EIMS. Is there an easy way to get a head start on spam rulesets?: This web site provides downloadable rule sets created by Tom Shaw. The ruleset database is searchable online.; James Grubic has created a filmaker database of his local rulesets here.

Is there any documentation for Tom Shaw's STF filters? Still cannot seem to get the macros working right.: Here is some information:; MACRO Virus1 550 5.7.0 This message may contain the; MACRO Virus1a 550 5.7.0 This message contains HTML used by viruses
MACRO Virus2 (code:
MACRO Virus3 ). Mail rejected - contact postmaster.
MACRO Attach1 550 5.7.0 This message contains a Microsoft MACRO Attach1a 550 5.7.0 This message contains a MACRO Attach2 (code: MACRO Attach3 ). Do to viral risk, this mail is rejected - either compress the file or contact the postmaster.
MACRO DNSbl1 550 5.7.0 Message origination IP [
MACRO DNSbl2 ] blacklisted for SPAM (code:
MACRO DNSbl3 ). Contact postmaster for details.
MACRO Redirect1 Messages that contain redirect URLs (code:
MACRO Redirect2 (code: MACRO Redirect3 ) are rejected. Contact postmaster for details.
MACRO Spam1 550 5.7.0 Rejected by filter (code:
MACRO Spam1a 550 5.7.0 Mail rejected due to FormMail Relay (code:
MACRO Spam1b 550 5.7.0 HTML with side effects not accepted. (code:
MACRO Spam1c 550 5.7.0 HTML with forms and mailtos not accepted. (code:
MACRO Spam1d 550 5.7.0 Due to spam your IP range has been blocked. (code:
MACRO Spam2 (code: MACRO Spam3 ). Contact postmaster for details.
MACRO Spam3a ). Copies forwarded to the SEC. Contact postmaster for details.
MACRO Bounce1 STF bounced ( MACRO Bounce3 , %h (%i), Frm: %s To: %r]

For an error message they typically work like this:
In the rule is the returned error message for example: "|Spam1|C-3567|Spam3|" since
Spam1 = "550 5.7.0 Rejected by filter (code: "
Spam3 = "). Contact postmaster for details."

Following "|Spam1|C-3567|Spam3|" the error returned to the user is:
"550 5.7.0 Rejected by filter (code: C-3567 ). Contact postmaster for details."
For an logged message they typically work like this:
In the rule is the logged message for example: |Bounce1|H*:1 EmailMarket emediablast.com) [C-3567|Bounce3|
since
Bounce1 = "STF bounced ("
Bounce3 = ", %h (%i), Frm: %s To: %r]"

Following "|Bounce1|H*:1 EmailMarket emediablast.com) [C-3567|Bounce3|" the information sent to the log is:

"STF bounced (H*:1 EmailMarket emediablast.com) [C-3567 , %h (%i), Frm: %s To: %r]"

Which means STF bounced mail because of an initial mime & mail header match (eg H*:1) from an Email Bulk Mailer/Marketer: emediablast.com. This is content rule C-3567. The mail came from host %h (maybe forged) on IP %i. The mail was from %s (maybe forged) to %r

From Tom Shaw's posting on the STF list 4/29/02

What is the difference between the STF rule files that I download from the STF Filters page and what is contained in the online database?: The rule files as downloaded are a subset of the fields that are in the database. The download files contain only active and in-test rules. The file is formatted for STF to use. The additional fields in the database provide additional information such as tracking, date and confidence levels. Inactive rules are also maintained in the database.

Do I need to combine the downloaded STF rules into one rule file, or can I use them separately?: You can go either way. The STF preference file default configuration uses a single rule file called "SimpleText Filter Rules". You may combine the rule downloads in this single file. Some folks find it easier to maintain separate files. In order for STF to access separate rule files, some additional lines in the preference file need to be added:; RULESFILE format
RULESFILE content rules
RULESFILE 45day
RULESFILE blackholes
RULESFILE virus; An example preference file is available for download at the STF filters site

How do I write a rule for STF?: Tom Shaw has a number of excellent web pages to reference for STF use. These pages include instructions on rule writing, and STF rule installation instructions.

How does a DNSBL work?: A DNS Blackhole is just a zone on a DNS server that contains A (sometime CNAMEs as well) and TXT records (eg domain / IP addresses and text information). To make it work you do a DNS query (just like your browser does when its looking up a web page). The query is of the form xxx.xxx.xxx.xxx.zone.dnsbl.org where xxx.xxx.xxx.xxx is the IP and .zone.dnsbl.org is the DNSbl zone your are interested in. If your query succeeds then that means that the IP is listed (depending upon the type of response it could tell you more and/or why its in the db.; So how does Glenn's filter work? It takes the mail sender's IP and adds to it the filter's 'STR#' resource ID=128 string #1 to create the xxx.xxx.xxx.xxx.zone.dnsbl.org query. It looks at the "DNS filter exclusions" file to see if the mail should pass unbounced regardless. If the query returns a value then the mail is bounced using the contents of the 'STR#' resource ID=128 string #3 as the returned error message and then logs the bounce using the 'STR#' resource ID=128 string #2 text to the EIMS error log.; When you tailor Glenn's Filter you need to edit these three text strings using ResEdit which can be downloaded from Apple's web site.; I highly recommend that you resedit 'STR#' resource ID=128 string #3 of any DNSbl that you use to contain helpful information in case a good guy gets blocked.

(from Tom Shaw's posting on the EIMS list 3/25/02)
Why am I experiencing inbound mail delays when I use the MAPS filters that ship with EIMS?: MAPS is free for home/hobbyist users, but $$ for everyone else. However, whether hobbyist or commercial, one still has to fill out, sign, and fax back MAPS contracts before using the service now (thanks to some sue-happy spam houses). The delay is probably the filter timing out. MAPS will block any attempts to reference it's dnsbl database which originate from IP addresses not expressly permitted by MAPS to use the d/b....and as I mentioned, the only way for such permission is to send them paperwork. (from Michael Wise EIMS list posting Apr 5, 2002); MAPS is currently regarded as a good DNSBL, but not cost free.

How To's


How can I evaluate a DNS Blacklist (DNSBL)?: A couple of EIMS mail administrators with experience using DNSBL's have web pages giving information:; Dr. Monsted - EIMS filter page; OITC SPAM filter page; There is periodic discussion on the EIMS mail list of DNSBL services.; There is a comprehensive list of all known DNS based Spam Databases; Jeff Mackey of the San Diego Supercomputer Center has put together a blacklist comparison site; As a general note - DNSBL list administrators have varying criteria for listing and delisting IP netblocks. Certain DNSBL's have no formal appeal/correction contact protocol if an "innocent party" entry gets made (i.e. spews.org). Certain DNSBL's also will list large blocks of IP space if a large network provider appears unresponsive to abuse complaints. This also affects many innocent small parties. Current examples of DNSBL's that have this policy with respect to Sprint and other carriers are:; spambag.org; xbl.selwerd.cx; blackholes.five-ten-sg.com; spews.org (spews.relays.osirusoft.com); relays.osirusoft.com (since it combines zones and uses spews.org); The above DNSBL's are not recommended.


How can I edit an existing filter to block a spam source?: You can edit the space patrol filter that is provided with EIMS using resedit on STR128. You can specify the email heading, e.g. FROM, the text to filter, e.g. somebody@somewhere.com and the log and error messages. Make sure the preferences are in capital letters.; A more detailed set of instructions from Hazlitt as posted on the EIMS list 14 Aug 2002 follows:; --------------------------------------------------------------------------
Tutorial: modify Space Patrol Filter to bounce spam with other signatures:
--------------------------------------------------------------------------

- The latest version of Glenn Anderson's Space Patrol Filter can be downloaded from <http://www.eudora.co.nz/eimsfilters.html>

- Duplicate or otherwise make a copy of Space Patrol Filter in the Finder. Rename the copy with a descriptive name other than "Space Patrol Filter." For the example in this tutorial, "SPF Viagra" is a good name for a modified version of SPF which will bounce messages with "VIAGRA" in the subject.

- Launch ResEdit. More info and latest download links at: <http://www.ResExcellence.com/support_files/resedit.shtml>

- Open your copy of SPF in ResEdit

- Double click the "STR#" resource. The string resource window opens

- Double click STR ID "128" and its dialog opens revealing four text entry fields

- In field "1)" you can optionally replace The String "Subject with long space from " with a label descriptive of your new filter, e.g., "Bounce messages whose subject contains VIAGRA" or just leave it alone since the filename in the Finder tells the story and the other parameters are obvious once you are in ResEdit.

- In field "2)" you can replace The String "550 5.7.0 message unacceptable" with the server response that you want to be included in the bounce message. Glenn's 'message unacceptable' in SPF is good since it does not give away much information to the spammer about why it was bounced, in case the spammer reads the bounce message to get info to attempt to circumvent the filter.

- In field "3)" replace The String "SUBJECT:" with name of the header component you wish to check on. You must type in ALL CAPS for this entry and end with a colon. Your options for this field include, but are not limited to, "RETURN-PATH:", "RECEIVED:", "MIME-VERSION:", "SENDER:", "X-SENDER:", "MESSAGE-ID:", "DATE:", "TO:", "FROM:", "SUBJECT:", "CONTENT-TYPE:". Note that you cannot search on strings in the message body using SPF, nor can you perform a global search of the header. You must specify a header component to search as outlined here. For our example, leave this field as-is to simply search the subject line, which is probably the most common type of search for this filter anyway. Any type of filter you make that is based on a single signature such as the a string being contained in the subject line is more likely to generate false positives... so seriously consider how your modified SPF might affect your accounts, or license and use Simple Text Filter for more advanced filtering options with EIMS.

- In field "4)" replace The String " " with a string that, if it occurs in the part of the header that you specified in field #3, will trigger the filter to tell EIMS to bounce the message and return the error in field #2. You must make the entry in field #4 in ALL CAPS, for our example, "VIAGRA"

- Choose "Save" from the "File" menu and quit ResEdit

- Move the new "SPF Viagra" filter into the "Filters" folder located in your "EIMS Folder"

- You must restart EIMS Server for your modified Space Patrol filters to function properly

- Start over at the second step to create additional filters for bouncing messages with other signatures.

How can I build my own DNSBL?: Use Resedit to modify the appropriate resource of an existing DNSbl filter to point to yours (eg blackholes.yourdomain.net); Create a zone in your dns for blackholes.yourdomain.net; Enter in the names using dotted quads as:; ddd.ccc.bbb.aaa.blackholes.yourdomain.net IN A 127.0.0.2 ;SPAM IP
How can I find out if an IP number is listed in a DNSBL?: Typically, if an email is rejected by a DNSBL used by a destination mail server, the bounce message will refer to the web site for the blacklist. If you wish to do a general search, here are some sources:; A cgi script driven web site provided by Osirusoft that allows you to enter an IP number. This engine will submit the IP number to a large set of DNSBL's and list the results - http://relays.osirusoft.com/cgi-bin/rbcheck.cgi; Not Just Another Blacklist - http://njabl.org/
How do I set up a "spam trap" address?: http://www.eudora.co.nz/eimsfilters.html - Glenn's spam trap filter (blocks email from a trap address); or create a group with the name `dev-null` and forward the spam trap address mailbox (and any other black-hole usernames you create over time) to that group

Other Resources

Where can read more about spam?: SPAM: It's completetly out of control; http://basic.wirehub.nl/blackholes.html (First & Second paras); http://basic.wirehub.nl/spamstats.html (First text para)
Are there other FAQ's about EIMS?: There used to be an excellant EIMS FAQ hosted at www.usmac.net. It is currently out of service (9/02)